Facebook ecommerce plugin used by thousands of stores hacked to steal credit card data
pkfacebook is a popular plugin for PrestaShop
A Facebook plugin built for the best ecommerce platforms is said to be vulnerable in a way that allows threat actors to steal people’s credit card information, and ultimately - money.
Security researchers from Friends-of-Presta have warned of an SQL injection vulnerability in pkfacebook, claiming they observed the flaw being abused in the wild.
Pkfacebook is a plugin for PrestaShop, an open source ecommerce platform that enables individuals and businesses to create and manage their online stores. This plugin allows people to register their accounts and log in, using Facebook, leave feedback on bought items, and communicate with customer support.
Assume everyone's vulnerable
Friends-of-Presta is a community of developers, integrators, agencies, and software publishers. As per their findings, as well as those from cybersecurity researchers TouchWeb, the SQL injection flaw is tracked as CVE-2024-36680. It is being abused by malicious actors to install credit card skimmers on vulnerable websites, allowing them to steal valuable payment information.
Promokit, the company that develops and maintains the Facebook plugin, says it fixed it “long ago” but, as BleepingComputer finds, provided no proof for their claims. Right now, some 300,000 online stores are using PrestaShop, but it is impossible to determine how many are vulnerable right now.
Friends-Of-Presta believes all users should consider themselves vulnerable, and should do the following:
Update pkfacebook, make sure they use pSQL to avoid Stored XSS flaws, modify the default “ps_” prefix to a longer, arbitrary one, and activate OWASP 942 rules on the Web Application Firewall.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Breaking into vulnerable ecommerce sites to steal people’s credit card data is a popular form of cybercrime. MageCart was, at peak, by far the most popular and disruptive credit card-stealing cybercrime group out there. While lately the group has been successfully keeping a low profile, security researchers from Malwarebytes found activity that could be linked to the group, back in May 2023.
More from TechRadar Pro
- Online stores are being hijacked with fake forms to steal credit card details
- Here's a list of the best firewalls today
- These are the best endpoint protection tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.